Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lmateus
Staff
Staff

Created on ‎03-10-2010 03:27 AM Edited on ‎05-26-2022 06:58 AM By Anonymous

Article Id 196865

Technical Note : FortiGate 'ldap-memberof' query fails when the AD user is only member of one group

Description
When configuring LDAP authentication on FortiGate, the 'ldap-memberof' attribute can be used to check the user group membership to grant access accordingly.

For example:

config user group
    edit "first"
        set group-type sslvpn
        set ldap-memberof "CN=first,OU=Groups,DC=testlab,DC=com"
            set member "my-ldap-server"
        set sslvpn-portal "testportal"
    next
end



This will work, except for users that are only members of one group in Active Directory.

The "memberof" attribute of the LDAP user is only populated with groups to which the user belongs to, except the user Primary Group. This is why, when the user is only member of its Primary Group, the FortiGate LDAP authentication will fail after receiving empty member-of query result.

 


Reference

 


Scope

 


Workaround
As a workaround, an additional group membership should be added to the LDAP user and this group has to be set Primary group in Active Directory.

 


Problem Verification

 

 

Labels:
3873
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.